[ovirt-devel] oVirt messages from engine to vdsm

Mon May 7 08:11:10 UTC 2018

As a part of my university diploma, we are making kind of access control
tool as a firewall  without dependence on oVirt roles ( this tool should
actually work for all libvirt based virtualization products for KVM). It
should be similar to Hytrust products or these ones
http://en.securitycode.ru/vGate//.
So my work is to find out what information I can use from the RPC calls and
from where I can get an information about the user.

2018-05-07 11:00 GMT+03:00 Martin Sivak <msivak at redhat.com>:

> Hi,
>
> I think what you are looking for is mostly this:
> https://github.com/oVirt/vdsm/blob/master/lib/vdsm/api/vdsm-api.yml
>
> The best way to see what the traffic is is to disable SSL. The
> postgres database is installed and accessible using the postgres user
> (the engine user is not allowed to access it directly).
>
> You might also be interested in the vdsm fake project we use as node
> simulator. Its readme will tell you exactly how to do this:
> https://github.com/oVirt/ovirt-vdsmfake
>
> I wrote an article some time ago that explained how to setup a
> development environment without real hosts:
> https://www.ovirt.org/blog/2016/11/testing-ovirt-changes-without-cluster/
>
> Might I ask what you goal is?
>
> Best regards
>
> --
> Martin Sivak
> SLA / oVirt
>
> On Sun, May 6, 2018 at 6:26 AM, Anastasiya Ruzhanskaya
> <anastasiya.ruzhanskaya at frtk.ru> wrote:
> > Hello everyone!
> > Currently I want to determine what information is included in messages
> > passing from oVirt engine to VDSM on ovirt-node.
> >
> > I made up a really simple configuration with one VM representing engine,
> > another - node, a managed to successfully  launch a single VM on this
> node.
> > However, I have chosen to configure everything automatically. Currently
> > traffic is encrypted with default certificates.
> > So, there are three options for me and no one of them really works.
> >
> > 1) Find the format of messages ( what the fields are, session id for
> > example) in docs, but I didn't  manage to find it;
> > 2) Use wireshark to decrypt the traffic and the apply maybe a json
> > -dissector to the decrypted data. I have tried many solutions ( thanks
> god I
> > have rsa private and public keys but there is another session key which
> is
> > generated every time engine starts to communicate with vdsm, which I
> cannot
> > get with the help of sslkeylog file or ld_preload technology.
> > Maybe someone knows the exact methodology how to do this correctly?
> >
> > 3) Turn off ssl in oVirt. It is simple to do that for vdsm, but for
> engine,
> > according to answers on oVirt site, I should do 2 requests to the
> database.
> > I was really surprised that psql was not installed by oVirt on my system.
> > How did it then created a default database? ( I have chosen to create all
> > locally and with default configurations).
> > I mean these two commands :
> > https://www.ovirt.org/develop/developer-guide/vdsm/
> connecting-development-vdsm-to-engine/
> > . I have a following error there :
> > psql: FATAL: Peer authentication failed for user "engine"
> >
> > Could you please guide my what method is the best and how should I
> correct
> > my faults there?
> >
> >
> > _______________________________________________
> > Devel mailing list
> > Devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20180507/3c69c921/attachment.html>